Skip to main content
Code42 Support

User Management With LDAP Integration

Applies to:
  • CrashPlan PROe
This article assumes you have already set up basic LDAP authentication and describes how to extend your Code42 environment integration with LDAP. For information on configuring your Code42 environment to use LDAP for authentication, see Integrating With LDAP For User Authentication.

LDAP script capabilities

You can add JavaScript to your master server to read user attributes and group membership information from your LDAP environment and to perform the following actions:

  • Active Script: Activate or deactivate user(s)
  • Org Name Script: Assign user(s) to a specified organization
  • Role Script: Assign roles to user(s)

The Active, Org Name, and Role scripts determine if any changes need to be made within your Code42 environment based on the user's current LDAP attributes and group membership

The Active, Org Name, and Role scripts are run at two events: user creation and LDAP sync.

Do not use regular expressions (regex) in Code42 LDAP scripts
Use of regex syntax causes LDAP sync to take much longer to complete than using other string functions.

Example use of LDAP scripting

Consider the following situation. Company X's Org Name script depends on the location LDAP attribute. If the location attribute for user jsmith changes from San Francisco to New York, then the LDAP sync process moves jsmith from the San Francisco org to the New York org.

Capabilities at user creation

When users are created, the Active, Org Name, and Role scripts are run. The scripts immediately affect the newly created users, placing them into the correct organization and granting them appropriate user roles based on their LDAP attributes and group membership.

Capabilities at LDAP sync

LDAP sync executes the Active, Org Name and Role scripts each time it runs. By default, LDAP synchronization runs once every 12 hours, but this interval length can be configured.

User creation with LDAP
LDAP integration helps to manage users, but it does not create them on its own. Create CrashPlan PROe users alongside LDAP integration in one of three ways:

At each LDAP sync, the scripts apply to all users. Certain scripts behave slightly differently at LDAP sync than at initial user creation. Behavior for each script is individually described below.

Scripting assistance
The sections below contain sample scripts that you may use or modify. For scripting assistance, please contact Sales for information on our consulting options. Scripting support is beyond the scope of technical support and requires assistance from our PRO Services team. PRO Services has access to a large library of existing scripts and can help tailor CrashPlan PROe's LDAP integration as needed.

Active script

By default, LDAP sync automatically deactivates any users that do not match the LDAP search filter. Deactivated accounts are no longer authorized to back up or restore, and associated device archives are automatically placed into cold storage.

The default Active script code, which handles the default Active script behavior, is:

function(entry) {return true;}

If the user is found in LDAP, the default JavaScript function returns the value TRUE. The master server then treats the user as active.

But what if your company policy requires that LDAP entries for users remain permanently in LDAP, and the user's employment status is maintained via an LDAP attribute? You can use an Active Script to deactivate a user account based on an LDAP user attribute.

Active script example

Deactivate a user if the 'employeeType' attribute equals 'inactive', or activate a user if the 'employeeType' attribute equals any other value.

function(entry) { return entry.employeeType !="inactive" }

User deactivation and reactivation

When a user is deactivated, the user's devices are automatically deactivated. However, when a user is reactivated, the user's devices are not automatically reactivated. Devices can be reactivated in two ways:

  • The reactivated user may sign in to the CrashPlan app on the device that is deactivated.
  • The administrator may activate the user's device from the administration console.

In either case, the device's GUID remains the same. Data that was previously backed up is still available, if the data retention period has not expired. File selections and other settings also remain the same.

Org name script

The Org Name script places a user into a specific organization. JavaScript is used to parse the user's LDAP entry and return a single value. The user is placed into an organization that matches the return value. The Org Name script is applied during user creation, as well as each time the LDAP sync process runs.

Org name script behavior at user creation

The Org Name script uses several parameters given to it, including the name of a target organization and an organization's registration key, to sort users into organizations.

Target organizations do not need to exist before the script runs. If a named target organization does not exist, the Org Name script creates an organization with that name as a child of the organization corresponding to the given registration key.

Any valid parsing can be performed on the DN (distinguished name) of the user's record with JavaScript, and in this way, LDAP OUs (organizational units) can map to Code42 environment organizations automatically.

Org name script behavior during LDAP sync

Unlike Org Name script behavior at user creation, organizations are not created by the Org Name script during regularly scheduled LDAP sync. This is because the Org Name script doesn't have the scope to determine your Code42 environment's organization structure in order to locate users and organizations.

LDAP OUs can still map automatically to your Code42 environment's organizations, but you will need to create the organizations in order for the Org Name script to sort your users during LDAP sync.

Org name script example

The Org Name script can place users into a Code42 environment organization based on the OU specified in each user's LDAP distinguished name. The script does the following:

  1. Parse the user's distinguished name.
  2. If the user is in the LDAP Staff OU, return the value “Staff” to place the user into the Code42 environment's Staff organization.
  3. If the user is in the LDAP Students OU, return the value “Students” to place the user into the Code42 environment's Students organization.
  4. If the user is in neither the Staff nor the Students OU, return the value “Default” to place the user in the Default organization.
function(entry) {
   var ou = entry.dn;
   if (ou != null){
       if ((ou.indexOf("Staff") >= 0 )){  
           return 'Staff';
       }
       else if ((ou.indexOf("Students") >= 0 )){
           return 'Students';  
       }
       else {
           return 'Default';  
       }  
   }
   else {
       return 'Default';  
   }  
}

Role script

The Role script applies a set of user roles to a user account based on the user's LDAP attributes or security group membership.

Role script example

This example analyzes an LDAP environment and grants CrashPlan PROe user roles based on LDAP memberships.

  1. Determine which LDAP groups the user is a member of.
  2. Map the appropriate Code42 environment roles to the account:
    • If the user is a member of the Admins LDAP group, grant the SYSADMIN role.
    • If the user is a member of the Support LDAP group, grant the All Org Admin role.
    • If the user is a member of the Managers group, grant the All Org Manager role.
    • If the user is a member of the WorkstationAdmins group, grant the Server Administrator role.
function(entry) {
   var memberof = entry.memberOf;

   // Default user roles
   var myRoles=new Array("PROe User","Desktop User");

   // Loop over LDAP groups
   for (var x = 0; x < memberof.length; ++x) {
      if (memberof[x].indexOf("Admins") > -1) {
         myRoles.push("SYSADMIN");
      }
      if (memberof[x].indexOf("Support") > -1) {
         myRoles.push("All Org Admin");
      }
      if (memberof[x].indexOf("Managers") > -1) {
         myRoles.push("All Org Manager");
      }
      if (memberof[x].indexOf("WorkstationAdmins") > -1) {
         myRoles.push("Server Administrator");
      }
   }
   return myRoles;
}

Still unsure?

Please contact sales for information on our consulting options.